You are on page 1of 9

International Journal of Advanced Computer Science, Vol. 2, No. 9, Pp. 321-329, Sep., 2012.

Threats Analysis on VoIP System

Narendra M. Shekokar & Satish R.Devane
Received: 17,Sep., 2011 Revised: 28,Feb., 2012 Accepted: 29,Mar.,2012 Published: 15,Oct., 2012

VoIP, Confidential threats, Integrity threats, Availability threats , Social Threats.

Abstract VoIP System is popular as compared to Public Switching Telephone System (PSTN) because its economical and latest multimedia features. This increases rapidly VoIP subscriber and threats. In this paper We have attempt to classified the VoIP threats such as confidentiality, integrity, availability and social and proposed a guidelines to prevent


Overview of SIP

SIP is text based protocol, it is more popular than the H.323 protocols because of its simplicity and flexibility. In SIP first session is established between two UA (User Agent) and then RTP voice stream is exchanged based on negotiated media session parameter. At the end, call is terminated by sending BYE message to its peer. Various vulnerabilities found in SIP base authentication such as authentication is applied to a few SIP messages, SIP authentication protects a few SIP fields, Authentication is applies to SIP messages from the UA (i.e., SIP phone) to SIP servers and it leaves all the SIP messages from the SIP servers to UA unprotected.[4] SIP vulnerability invites various threats on VoIP system, which we have attempts to classify in next section.



A. Integrity Threats

VoIP Threats

This Voice over Internet Protocol (Voice over IP or VoIP) allows users to make phone calls over the internet. VoIP is accepted by mass because communication on VoIP network is more economical than traditional PSTN system. [1]. VoIP system uses two signaling protocols, Session Initiation Protocol (SIP) [2] which is proposed by Internet Engineer Task Force (IETF). H.323 [3] proposed by International Telecommunication Union. These signaling protocols are responsible for establishing, maintaining and terminating the call, to locate users, and to control the media transport. As adoption of SIP based telephony increases confidentiality, integrity and availability and social threats. In this paper we have analyzed these threats and proposed mitigate guideline of each threat which gives roadmap for future work. Our paper is organized as below. In section 2, we have discussed the overview of SIP protocol. In section 3 we have analysis confidentiality, integrity and availability and social threats. Then In section 4, we have proposed a mitigation technique . Finally we have concluded the paper in section 5.

An unauthorized user may perform unauthorized operations like delirious modification, destruction, deletion or disclosure of switch software, data and message between two UA. Integrity threats are listed as below, 1) Message Alteration: The process of interception, alteration and resending of messages within a trusted conversation is known as man-in-the-middle attack. Voice conversation via VoIP is fundamentally different to traditional telephone systems. While the traditional telephone network has voice data travelling along a dedicated network, in VoIP, voice data is transmitted as packets through shared computer networks often including the Internet where its path is shared with other types of traffic and is more widely accessible. Due to this fact, it is conceivable that without proper protection, attackers may be able to alter or scramble the content of messages such that they are non usable or recognizable. Message alteration can also include changing voice mail, fax and other messaging services via VoIP, as well as video reconstruction [36] 2) Call Black Holding : Call black holing is any unauthorized method of deleting or refusing to pass any essential elements of protocol messages, in the middle of communication entities. The consequence of call black holing is to delay call setup, refuse subsequent messages, make errors on applications, drop call connections, and so on. For ex. An attacker as an intermediary drops only ACK

This work was supported by Dwarkadas J. Sanghvi College of Engineering Narendra M.Shekokar,Asst.Professor D.J.Sanghvi College of Engineering, Mumbai, India Satish R.Devane, Principal Ramrao Adik College of Engineering, Navi Mumbai, India ( and


International Journal of Advanced Computer Science, Vol. 2, No. 9, Pp. 321-329, Sep., 2012.

messages between call entities so that the SIP dialog cannot be completed, even though there could be early media between them.[37] 3) Media Alteration : Media alteration is the threat that an attacker intercepts media in the middle of communication entities and alters media information to inject unauthorized media, degrade the QoS, delete certain information, and so on The typical examples are media injection and degrading. a) Media Injection : Media injection is an unauthorized method in which an attacker injects new media into an active media channel or replaces media in an active media channel. The consequence of media injection is that the end user (victim) may hear advertisement, noise, or silence in the middle of conversation. [37] b) Media Degrading: Media degrading is an unauthorized method in which an attacker manipulates media or media control (for example, Real-Time Control Protocol [RTCP]) packets and reduces the QoS of any communication. Here are a couple of examples: 1 An attacker intercepts RTCP packets in the middle, and changes (or erases) the statistic values of media traffic (packet loss, delay, and jitter) so that the endpoint devices may not control the media properly. 2 An attacker intercepts RTCP packets in the middle, and changes the sequence number of the packets so that the endpoint device may play the media with wrong sequence, which degrades the quality [37] 4) Invite Attack : Attacker listens on network traffic seeking for INVITE request, steal the authentication information, reconstruct spoofed INVITE request and then redirect it to the callee or to the SIP server. [6] 5) RTP Injection Attack : RTP is user for real time voice or data transfer. Attacker injects and RTP stream by sending a sequence of RTP packets to the appropriate IP address and port, thus the end point will receive the injected RTP stream rather than hearing the actual conversation .This attack could results in intermittent voice conversation or in crashing the client [6]. 6) SQL Code Injection Attack : In this attack, an attacker tampers the SIP message and inserts the malicious SQL code in its Authorization header. The malicious code can be embodied either in the username or in realm fields in the Authorization header. [12] 7) Media Degrading : Attacker manipulates media or media control (for example, Real-Time Control Protocol [RTCP]) packets by changing sequence no of packet .Result of this is reduces the QoS of any communication. [19] 8) Caller Identification spoofing : In VoIP the caller ID service relies on the From header to supply the identity. If the attacker can control the gateway server, he can arbitrarily change From header to anything that he wants. 9) Call Pattern Tracking : By call Pattern Tracking attacker discovery the identity, affiliation, presence and

usage of network. It is a general technique that enables unauthorized conduct such as theft, extortion and deceptive practices including phishing.[23] 10) Traffic Capture: This is an unauthorized recording of traffic by any means and includes packet recording, packet logging and packet snooping for unauthorized purposes. Traffic capture is a basic method for recording a communication without the consent of all the parties.[23] 11) Number Harvesting : Number Harvesting is the authorized collection of IDs, which may be numbers, strings, URLs, email addresses, or other identifiers in any form which represent nodes, parties or entities on the network [23]. 12) Conversation Reconstruction: It is an duplicating or extracting information on the audio content of a conversation, encapsulated in any one or more protocols and however encoded, which is done without the consent of all parties to the communication.[23] 13) Voicemail Reconstruction: Voicemail Reconstruction is any unauthorized monitoring, recording, storage, reconstruction, recognition, interpretation, translation, and/or feature extraction of any portion of any voice mail message.[23] 14) Proxy Impersonation: This attack tricks the victim into communicating with a rogue proxy set up by the attacker. Once an attacker impersonates a proxy, he has complete control of the call. The attacker tricks UAs to communicate with the rogue proxy server instead of the legitimate proxy server. [8] 15) Call redirection or hijacking : Call redirection occurs when a call is intercepted and rerouted through a different path before reaching the destination. [6] 16) Rogue IP Phone : A malicious user may connect an unauthorised IP phone to the network. A rogue phone poses threats such as identity fraud and can be utilised to start unauthorised services or launch attacks against other devices in the network. 17) False Caller-ID : Another potential threat to integrity may arise from users being able to change their caller ID to a fraudulent value (commonly referred to as caller ID spoofing). Similar to altering the message content, identity fraud can also include utilising false caller IDs to allow fraudsters to be proactive in engaging contact with a VoIP user while pretending to be someone else. Through using a caller ID phone number known to be associated with a given organisation, a fraudster can gain further credibility in their claim to be someone else. [36] B. Availability Threats Availability refers to the notion that information and services are available for use when needed. VoIP network is susceptible to denial of service attacks since DoS attacks can degrade QoS quickly to unacceptable level. DoS is an
International Journal Publishers Group (IJPG)

Narendra M. Shekokar et al.: Threats Analysis on VoIP System.


active and direct attack. The attacker does not aim to steal anything. He simply wants to put the service out of order. unable to process anything else. Even if the targeted system is able to continue processing requests, it becomes so slow, that applications cease to function correctly.[6] Flooding Attacks, These attacks rely on sending several legitimate SIP packets, sending such high volumes that the targeted system is so busy in processing the requests that it is unable to process anything else. Even if the targeted system is able to continue processing requests, it becomes so slow, that applications cease to function 1) SIP Register Flooding : Attacker will flood register server with fake REGISTER request as well as they can flood an application server with multiple copies of the same-spoofed REGISTER request. 2) Invite Flooding Attack :The Invite flooding attack is similar to the Register flooding. The Invite method instead of Register method is utilized to launch the Invite flooding. 3)Endpoint Request Flooding : A DoS attack on an Endpoint could consist of sending large number of valid/invalid call set up messages (e.g., SIP INVITEs) which could cause the Endpoint to crash, reboot, or exhaust all . 4) Endpoint Request Flooding after Call Setup :A DoS attack on an Endpoint could consists of sending a large number of valid/invalid call control messages (e.g., SIP RE-INVITEs) after a call has been successfully established which could cause the Endpoint to crash, reboot, or exhaust all Endpoint resources. This may also result in dropping the existing connection. 5) Authentication Flooding Attack : SIP includes an authentication mechanism based on the HTTP Digest mechanism. This authentication mechanism uses a challenge/response model. When the application server receives the client response, it checks this response by repeating the MD5 calculation using its stored value for the user's password. If the calculated response matches the one submitted by the client, then the request can be processed. An attacker can exploit this to run a DoS attack. response will suffice as the attacker does not have any valid passwords, and so all responses will fail. [12]. 6) Injecting Invalid Media into Call Processor :This form of DoS can be triggered by the injection of invalid media into the call processor by the caller or by a third party This will cause the Endpoints to crash, reboot, or exhaust all call processing capacity. 7) Malformed Protocol Messages :This form of attack consists of sending malformed signaling messages to target node to degrade its performance. 8) Malformed Message Attacks (Protocol Fuzzing): This kind of attacks relies on sending large numbers of malformed message to a SIP application server.
International Journal Publishers Group (IJPG)

9) Faked Response : For example, a perpetrator may send a Busy Here or an error response message when replying to an incoming call, thus denying the delivery of the call to the victim. The victim is not able to receive any incoming call. 10) Injecting Invalid Media into Call Processor: This form of DoS can be triggered by the injection of invalid media into the call processor by the caller or by a third party This will cause the Endpoints to crash, reboot, orexhaust all call processing capacity. SIP DOS Attack, SIP DoS attack exploit vulnerabilities in SIP protocol implementation. During call establishment, SIP agents exchange series of message, here attacker can impersonate himself as legal SIP client to modify, alter, deny, or hijack VoIP calls.[6] 1) SIP Deregistration Attack : In the De Registration Attack, the attacker sniff the network traffic, seek for registration message, and when found constructs spoofed message identical to the captured one except the expire field is set to zero, then direct it to the server. As a result the server removes the victim's record, and the victim has no indication that he isn't registered at the server. 2) SIP Cancel Attack : Attacker listens on the network traffic for new calls and then terminates each call with a Cancel request. 3) SIP BYE Attack/Force Teardown Attack : VoIP calls are terminated by attacker by sending a SIP BYE request. Many VoIP application servers and clients will process a BYE request without requiring authentication. This means that it is easy to construct a BYE request and send it to the application server, which will then terminate the call 4) Faked Respond Attack : SIP authentication applied only to SIP messages from the client to the servers, and it leaves all the SIP messages from the SIP servers to client unprotected . Attacker can simply exploit this vulnerability to send the client faked respond, preventing him from making calls, or redirect the call to another callee. 5) Amplification attacks: The attacker creates bogus requests containing a falsified source IP address, and a corresponding Via header field identifying a targeted host, as the originator of the request. Subsequently, the attacker sends this request to a large number of SIP network elements, thereby causing hapless SIP UAs or proxy servers to generate a DoS attack aimed at the target host, typically a server. Similarly, DoS can also be carried out on an individual by using falsified Route header field values in a request that identifies the target host, and then sending these messages to forking proxies that will amplify messages sent back to the target. Record-Route is used to similar effect when the attacker is certain that the SIP dialog initiated by a request will result in numerous transactions originating. [35] 6) Fraggle Attack: This attack is essentially based on the same concept as the Smurf attack (namely that generating huge amounts of network traffic will disable a machine or


International Journal of Advanced Computer Science, Vol. 2, No. 9, Pp. 321-329, Sep., 2012.

cause it to lose connectivity to the Internet), but uses UDP instead of ICMP. Although it is not as serious as some other attacks of this type, it will still generate a huge amount of network traffic. Here is how it works: a hacker is armed with a list of broadcast addresses, to which he/she sends spoofed UDP packets. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the chargen port (a port that generates a number of characters when queried). Sometimes a hacker is able to set up a loop between the echo and chargen ports, generating all that much more network traffic (this attack generally works on NT boxes).The result of this attack is, as stated earlier, a massive amount of traffic on the network. ICMP Attacks, ICMP is used by the IP layer to send one-way informational messages to a host. There is no authentication in ICMP, which leads to attacks using ICMP that can result in a denial of service, or allowing the attacker to intercept packets. There are a few types of attacks that are associated with ICMP shown as follows: [21] 1) ICMP DOS Attack : Attacker could use either the ICMP "Time exceeded" or "Destination unreachable" messages. Both of these ICMP messages can cause a host to immediately drop a connection. An attacker can make use of this by simply forging one of these ICMP messages, and sending it to one or both of the communicating hosts. Their connection will then be broken. The ICMP "Redirect" message is commonly used by gateways when a host has mistakenly assumed the destination is not on the local network. If an attacker forges an ICMP "Redirect" message, it can cause another host to send packets for certain connections through the attacker's host. 2) ICMP packet magnification (or ICMP Smurf): An attacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses. All the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a denial of service (DoS) to legitimate traffic. 3)Ping of death: An attacker sends an ICMP echo request packet that's larger than the maximum IP packet size. Since the received ICMP echo request packet is larger than the normal IP packet size, it's fragmented. The target can't reassemble the packets, so the OS crashes or reboots. 4)ICMP PING flood attack: A broadcast storm of pings overwhelms the target system so it can't respond to legitimate traffic. 5) ICMP nuke attack: Nukes send a packet of information that the target OS can't handle, which causes the system to crash. Types of Fragmentation Attacks, There are numerous ways in which attackers have used fragmentation to infiltrate and cause a denial of service to networks, some of these are discussed below. [24]

1) Ping O Death Fragmentation Attack: The Ping O Death fragmentation attack is a denial of service attack, which utilises a ping system utility to create an IP packet, which exceeds the maximum allowable size for an IP datagram of 65535 bytes. This attack uses many small fragmented ICMP packets which when reassembled at the destination exceed the maximum allowable size for an IP datagram. This can cause the victim host to crash, hang or even reboot. 2)The Tiny Fragment Attack :This attack uses small fragments to force some of the TCP header information into the next fragment. This may produce a case whereby the TCP flags field is forced into the second fragment and filters that attempt to drop connection requests will be unable to test these flags in the first octet thereby ignoring them in subsequent fragments. This attack can be used to circumvent user-defined filtering rules. The attacker hopes that a filtering router will examine only the first fragment and allow all other fragments to pass. 3) The Teardrop Attack: The teardrop attack utilizes the weakness of the IP protocol reassembly process. The teardrop attack is a UDP attack, which uses overlapping offset fields in an attempt to bring down the victim host. 4) The Overlapping Fragment Attack: This attack however is not a denial of service attack but it is used in an attempt to bypass firewalls to gain access to the victim host. This attack can be used to overwrite part of the TCP header information of the first fragment, which contained data that was allowed to pass through the firewall, with malicious data in subsequent fragments. A common example of this is to overwrite the destination port number to change the type of service i.e. change from port 80 (HTTP) to port 23 (Telnet) which would not be allowed to pass the router in normal circumstances. Ensuring a minimum fragment offset is specified in the routers IP filtering code can prevent this attack. Voice Pharming , Unauthorized is call diversion is called as voice pharming, where the attacker transparently diverts selected VoIP calls to the bogus IVR (interactive voice response) or bogus representative [13] C. Confidentiality Threats Confidentiality means that the information cannot be accessed by unauthorized parties. The confidential information for network components includes operation systems, IP addresses, protocols used, address mapping, user records, etc. Leak of this information might make attackers jobs easier. 1) Eavesdropping: Eavesdropping attacks describe a method by which an attacker is able to monitor the entire signaling and/or data stream between two or more VoIP endpoints, but cannot or does not alter the data itself. [13] 2) Unauthorized access attack : An unauthorized access means that the attacker(s) can access resources on a network
International Journal Publishers Group (IJPG)

Narendra M. Shekokar et al.: Threats Analysis on VoIP System.


that they do not have the authority. Shawn Merdinger reported multiple undocumented ports and services in certain VoIP phones [18]. 3) Theft of Service :,This attack is objective to take an economic benefit of a service provider by means intended to deprive the provider of lawful revenue or property. Such theft includes: Unauthorized deletion or altering of billing records Unauthorized bypass of lawful billing systems Unauthorized billing Taking of service provider property They are listed as below [22] Invite Replay Billing Attack : Invite Replay billing attack exploits the vulnerability of SIP authentication. In this attack MITM intercept INVITE message with credential information and send it to the attacker, upon receiving the information then attacker can mount Replay billing attack by replaying modified INVITE message. FakeBusy Billing Attack :In Fake Busy Billing attack, attacker hijacks the call between VoIP subscribers and prolongs the call duration. As a result, the call attempted by the VoIP subscriber would fail, and VoIP subscriber will be billed for the unauthorized call. ByeDelay billing attack : This billing attack prologs the call duration of established call between UA (Alice & Bob) by delaying BYE message. Caller has terminate the call by sending BYE message which is blocked by MITM. Due to it service provider is under impression to the that caller and callee is still actively communicating . Result of this is callee is charge for unauthorized call. ByeDrop Billing Attack: MITM intercept the BYE messages send by callee and replied it with 200 OK messages, as a result of this is the caller and callee is under impression that the call has been terminated successfully. This will allow MITMs to exchange bogus RTP streams about 20 minutes till the MITM2 does not stopped sending RTP streams. 3) Call Pattern Tracking , This is an unauthorized analysis of VoIP traffic from or to any specific nodes or network so that an attacker may find a potential target device, access information (IP/port), protocol, or vulnerability of network. It could also be useful for traffic analysisknowing who called who, and when. 4) Data Mining : Like email spammers who collect email addresses from various sources like web pages or address books, VoIP spammers also collect user information like phone numbers from intercepted messages, which is one example of data mining.[19]
International Journal Publishers Group (IJPG)

5) Reconstruction: Reconstruction means any unauthorized reconstruction of voice, video, fax, text, or presence information after capturing the signals or media between parties. The reconstruction includes monitoring, recording, interpretation, recognition, and extraction of any type of communications without the consent of all parties.[19] D. Social Threats False presentation of information together with unwanted contact is the only social threats that can be recon ducted to a technical background in the case of VoIP. Examples are: 1) VoIP phishing : VoIP phishing involves an attacker creating a phone number that appears to represent a legitimate organization such as a bank. VoIP allows an attacker to easily set up a malicious IVR (Interactive Voice Response) system with a toll-free number that is harder to trace than one set up on PSTN. This type of fraud may be more effective than email-based phising since victims tend to trust more a phone number than a URL.[18] 2) Call Spam (SPIT) : Call (or voice) spam is defined as a bulk unsolicited set of session initiation attempts (for example, INVITE requests), attempting to establish a voice or video communications session. If the user should answer, the spammer proceeds to relay their message over real-time media. This is the classic telemarketer spam, applied to VoIP, such as SIP. This is often called SPam over IP Telephony, or SPIT. [18] 3) IM spam (SPIM): This is similar to email. It is defined as a bulk unsolicited set of instant messages, whose content contains the message that the spammer is seeking to convey. This is often called Spam over Instant Messaging, or SPIM.SPIM is usually sent in the form of request messages that cause content to automatically appear on the user's display. The typical request messages in SIP are as follows: SIP MESSAGE request (most common) INVITE request with large Subject headers (since the Subject is sometimes rendered to the user) INVITE request with text or HTML bodies [18] 4) Presence Spam (SPPP ) : This attack is similar to SPIM. It is defined as a bulk unsolicited set of presence requests (for example, SIP SUBSCRIBE requests) in an attempt to get on the "buddy list" or "white list" of a user to subsequently send them IM or INVITEs. This is occasionally called SPam over Presence Protocol, or SPPP. [18] 5) Unwanted lawful/unlawful contact: - The attacker contacts the victim with the unlawful or lawful scopes (e.g. extortion, telemarketing, etc.), please note that unwanted lawful contact in the case of VoIP is also referred to as SPam over Internet Telephony (SPIT), SPIT discussion is excluded by the SPEERMINT working group per charter [23].


International Journal of Advanced Computer Science, Vol. 2, No. 9, Pp. 321-329, Sep., 2012.


Mitigation Technique

where possible. 7. Perform SIP-aware NAT and media port management. 8. Perform granular Call Admission Control (CAC) Control the number of simultaneous calls. 9. Monitor for unusual calling patterns. 10. Provide detailed logging of all SIP messages. Log everything for non-authenticated calls. [17] The IP security (IPsec) suite provides a set of services to protect IP packets from session hijack attack. IPsec can provide confidentiality, integrity, data origin authentication services as well as traffic analysis protection . Introducing IPsec in Internet telephony can safeguard signaling and data from network vulnerabilities provided that some sort of trust (e.g. pre-shared keys, certificates) has been established a-priori between the communicating parties Use secured devices for communication and switching of voice as well as data.[9] Use Strong authentication and password at device level.[9] Control access through authentication, authorization and accounting (AAA). Utilize admission control to verify posture of devices.[9] Maintain QoS on all media packets. Give priority to media packets and preserve QoS markings Use S/MIME which support authentication, integrity protection and confidentiality of SIP signaling data. To mitigate registration spoofing, proxy impersonation, call hijacking strong authentication and software patching is essential.[27] VoIP vulnerability scanning tools like Sivus is strongly Suggested To prevent theft of services deploy Cisco intrusion prevention systems (IPSs) which report attempted intrusions as well as automatically drop traffic exhibiting abnormal behavior associated with information theft . [29] To avoid massage alteration use strong encryption like SH Mitigation technique to avoid Availability Threats To prevent signaling and media attack like Registration Hijacking, Session Teardown, SQL Injection Attack, Invite Flood ,RTP Flood ,implement specialized VoIP firewall which will have following feature . [15] 1. Discard packet based on know rule. 2. Identify new signature of virus. 3. Monitor adequate bandwidth for known good calls. 4. Monitor for and drop rogue RTP stream. 5. Investigate header of each packet to filter spoofed message. To avoid well know SIP DoS and Invite Flooding attack implement firewall Which work on two key techniques. First, it uses a rule-based engine to execute
International Journal Publishers Group (IJPG)

In following section we have proposed various mitigation techniques to eliminate or avoid the above discussed threats. A Mitigation technique to avoid Integrity Threats To prevent massage alteration established secured communication channel between communicating parties using SSL . It support all major security feature such as massage Integrity, Confidentiality, Authentication.[38] To prevent media alteration and degradation use SRTP protocol. Use IDS Technique to avoid Message malformed attack, like SQL Code Injunction attack and hijacking attack .[13] Another technique for preventing SQL tampering in SIP is all SIP message send digitally signed to receiver. As a result, any modification in a SIP message can be detected and discarded by the SIP server. Generally, digital signatures can protect SIP messages from any sort of tampering attack. Nevertheless, digital signatures scheme requires the installation of a global or layered Public Key Infrastructure (PKI) beforehand. Moreover, this method is totally ineffective against insiders. Finally, in order to avoid errors in input validation or to prevent any other malicious attempt, the SQL account that the SIP server uses to connect to the database must have only the minimum-required privileges.[12] To prevent RTP injection attack send encrypted massage using AES use AES encryption technique and digital signature with secured hash. If possible replace RTP protocol by SRTP (secured RTP) protocol SRTP support confidentiality and integrity of RTP protocol. SRTP also prevent media DoS attack. To prevent RTP injecting attack use ZRTP protocol for secured media signaling To make SIP signal secured and to avoid spoofing and hijack attack use transport layer security (TLS). TLS is able to protect SIP signaling messages against loss of integrity, confidentiality and against replay. It provides integrated key-management with mutual authentication and secure key distribution. TLS is applicable hop-by-hop between UAs/proxies or between proxies. The drawback of TLS in SIP scenarios is the requirement of a reliable transport stack (TCP-based SIP signaling). TLS cannot be applied to UDP-based SIP signaling. [32] TLS signaling protection in trusted network ,But in un trusted network a firewall/NAT is required along with TLS. Firewall should monitor inbound and outbound traffic based on following rules. 1. Monitor for directory scanning. 2. Monitor for external registration hijacking attempts. 3. Monitor for malformed SIP messages. 4. Check VIA headers and RECORD-ROUTES. 5. Block obviously malicious teardown requests. 6. Support TLS and other standards-based security

Narendra M. Shekokar et al.: Threats Analysis on VoIP System.


rules that model SIP vulnerabilities. These rules are executed against SIP protocol messages, transactions and dialogs. Second, it monitors the SIP protocol to enable stateful semantic tracking through stateful objects claimed by vulnerabilities defense rules. Hence, rules that model SIP vulnerabilities are based on both protocol behavior and attack signatures.[10] SIP BYE/Force tear Teardown attack is result of absence of encryption and message integrity and authentication. Use strong encryption and Integrity technique to all Session Initialization massage. Encryption algorithms which uses a series of transformations technique .Algorithms uses 8 S-box for (8*8 bit data) , 4 different keys for 4 cycle of encryption and varying rotation operation is applied on encrypted data to make encryption technique more stronger. Message digests algorithms SHA-1 is use to retain the integrity of data/message. Second level of encryption is applied on (Encrypted Massage||Massage digest)Key by using key exchange via secured communication channel . Use traffic monitoring and detecting system to avoid INVITE flooding and , RTP flooding and SIP scan attack .This model consist following components. NetFlow Collector: This module is responsible to controls connections between a number of VoIP observation Points and SIP Traffic Monitoring and Detecting System. It decodes theNetFlow and itemizes SIP/RTP information to measure VoIP traffic for each item, VoIP Traffic Monitoring and Analyzing Module: This module calculates the value of statistics for VoIP traffic Monitoring (e.g. SIP/RTP traffic volume, session count etc.) and traffic analyzing (e.g. ratio of caller/callee IP, the number of each SIP method etc.). Above calculated value gives the value of statistics for VoIP traffic monitoring. Abnormal VoIP Traffic Detecting Module: This module is responsible to detect VoIP network threats in accordance with detecting rules. Use TLS which protect SIP Message against replay attack. [32] Use S/MIME, which provides a set of functionalities and SIP utilizes two of them: Integrity and authentication tunneling and Tunneling Encryption. However, this solution mandates the deployment of a global S/MIME Public Key Infrastructure (PKI). S/MIME is used to encrypt and sign the session description protocol (SDP) portion of SIP packets. The header is still transmitted as plain text. S/MIME guarantees end-to-end security. Change defaults passwords and enable SIP authentication. Use the devices which support SRTP cipher technique. Use VLAN with 802.1x in internet to split data and voice traffic. Disable Telnet in the phone configuration, allow only
International Journal Publishers Group (IJPG)

to administrators. To avoid message tampering and voice pharming attack use encrypt transmitted data using encryption mechanisms like IPsec, TLS and S/MIME. IPsec provide encryption of SIP message at network layer. IPsec supports both end to end and hops to hops encryption. IPSec support Internet Key Exchange (IKE) protocol for key management.[12] Tiny fragment attack can be prevented at the router by enforcing rules, which govern the minimum size of the first fragment. This first fragment should be made large enough to ensure it contains all the necessary header information.[28] A tiny fragment attack can be defeated by discarding all packets where the protocol type is TCP and the IP Fragment Offset is equal to 1. Teardrop attack has also been around for some time and most operating system vendors have patches available to guard against this sort of malicious activity. To prevent malformed message attack use IDS technique which will exam for any incoming message is examined against the existing malformed rules. When a header is found to be malicious, further processing of the message is paused, the Check-Msg module drops the message and records it into a Bad-Transactions file.[11] Current IDS has failed to detect new anomaly. To address this, an IDS system using Neural network and Fuzzy logic is use to detect and learn from unknown attacks with a special focus on DoS attack. A neural network is capable of analyzing the data from the network, even if the data is incomplete or unclear. In addition to this neural network also capable to process information from multiple source, it use back propagation for training and testing of IDS. The fuzzy rules are generated from the proposed strategy can be able to provide better classification rate in detecting the intrusion behavior.[30] The system then analyzes input files and classifies it into different types of attacks. System is trained to detect following types of DoS attacks i.e Re Invite Teardrop/BYE , Cancle, Icmp flood/Smurf, Ping of Death, attacks. Normal traffic is ignored by IDS , When an attack is detected, it alert is generate alarm . The detected attack is then fuzzified to get its severity. During fuzzification, depending on which attack is detected, inputs are provided to the Fuzzy Inference System(FIS) and corresponding defuzzified value is obtained which marks how severe the attack is. Severity is classified as Trivial, Warning and Lethal[30] An ANN IDS system will reside on a Proxy server. As an testing input to the neural network, the packet details are read from the connection database. The connection database is derived from captured packet.[30] An ANN based IDS need to train before testing it, To archive this IDS read input from the KDDcup99 database.[31]


International Journal of Advanced Computer Science, Vol. 2, No. 9, Pp. 321-329, Sep., 2012.

Mitigation technique to avoid Confidentiality Threats To avoide evesdeopping use lightweight IDS technique. [13] To prevent this billing attack use SSL/TLS. It support mutual authentication as well as established encrypected channel between two communicating party. In this approach, first secured socket layer will established between communicating party then session initialing message (INVITE, OK, TRYING, RINGING) will exchange. SSL/TLS approach does not run over UDP protocol. [22] To overcome a limitation of SSL/TLS over UDP environment used more secured protocol which support Authentication, Encryption and Integrity of all SIP massage. It uses timestamp mechanism to prevent a replay attack. Before actual encryption a key will be issued to communicating party by trusted third party.[33] Run VoIP Traffic on VPNs to Minimize Eavesdropping risk on Critical Segments. [25] Deploy VLAN to prevent eavesdropping attack. To prevent Eavesdropping consider following guidelines [34] 1. Each network port receives only VoIP packets destined for this port and the attached terminal device according to a given ID 2. A reasonable network partitioning for security reasons should be introduced 3. All external connections should make use of dedicated lines or VPN solutions 4. VoIP calls over the Internet are not considered here, due to limited quality and security 5. A trustworthy VoIP provider should be selected Use SRTP which provide confidentiality, message authentication and replay protection for audio and video streams.[27] Mitigation technique to avoid social Threats Interactive Voice Responder (IVR) should to be trusted. Enforce SIP security by means of Authentication, authorization and IPSec. [25] Use Honeypot to trap the fake URL.[26] To Prevent SPIT attack use call pattern analysis technique which assign count based on unwanted communication . This count is use to classify use as a unauthorized caller.

types of Integrity, availability and Confidentiality threats in detail. In order to obtain a maximum gain in security while maintaining good performance results, we have also proposed various mitigation techniques to prevent VoIP threats. This will give new roadmap and guideline to researcher to work in this domain.




[4] [5]









5. Conclusion
In the early days of VoIP, there was no big concern about security issues related to its use. People were mostly concerned with its cost, functionality and reliability. Now that VoIP is gaining wide acceptance and becoming one of the mainstream communication technologies, security has become a major issue. We have described the concept and



Rohit Dhamankar Intrusion Prevention: The Future of VoIP Security,[online].Available: /resources/whitepapers/503160-001_TheFutureofVoIPSecurit y.pdf , 2004. J.Roshenburg et al., SIP: Session Initiation Protocol, IETF RFC 3261, June 2002.ITU, Draft revised recommendation H323 V5, Geneva,20-30 ,May 2003. Ruishan Zhang, Xinyuan Wang, Xiaohui Yang, Xuxian Jiang, Billing Attacks on SIP-Based VoIP Systems, Proceeding of the fIrst USENIX workshop on offensive Technology, August 06-10,2007. Atul Kahate ,Cryptography and Network Security,3rd Edition Tata McGraw-Hill ,2003. Housam Al-Allouni1 Alaa Eldin Rohiem2 Mohammed Hashem Ali El- moghazy VoIP Denial of Service Attacks Classification and Implementation ,26th NATIONAL RADIO SCIENCE CONFERENCE (NRSC2009), March 17-19, 2009. Abd El-Aziz Ahmed' draft on Introduction to SSL [online].Available: ontents.htm,1998 Liancheng Shan Ning Jiang Reaserch on Decurity Mechanisms of SIP based VoIP System Ninth International Conference on Hybrid Intelligent System ,Year 2009. H. Abdelnur, V. Cridlig, R. State and O. Festor, VoIP Security Assessment: Methods and Tools, IEEE conference on VoIP MaSe 2006. Yanlan Ding, Guiping Su, Intrusion detection system for signal based SIP attack through timed HCPN, Second IEEE international Conference on Availability, Reliability, Security 2007. Abdelkader Lahmadi and Olivier Festor ,INRIA Nancy Grand Est Research Center, Villers-L`es-Nancy, France SecSip: A Stateful Firewall for SIP-based Networks Dimitris Geneiatakis, Georgios Kambourakis, Costas Lambrinoudakis, Tasos Dagiuklas and Stefanos Gritzalis SIP Message Tampering THE SQL code INJECTION attack Xinyuan Wangy, Ruishan Zhangy, Xiaohui Yangy, Xuxian Jiangz, Duminda Wijesekeray Voice Pharming Attack and the Trust of VoIP R. Zhang, X. Wang, R. Farley, X. Yang, and X. Jiang. On the Feasibility of Launching the Man-In-The-Middle Attacks on VoIP from Remote Attackers. In Proceedings of the 4th International ACM Symposium on Information, Computer, and Communications Security (ASIACCS), pages 6169, March 2009. G. Ormazabal, S. Nagpal, E. Yardeni, and H. Schulzrinne. Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems. In Proceedings of the 2nd International Conference on Principles, Systems and Applications of IP Telecommunications (IPTComm), pages 107132, July 2008. Mark Collier Voice Over IP (VOIP) Denial of Service (DoS) 24 May 2005. International Journal Publishers Group (IJPG)

Narendra M. Shekokar et al.: Threats Analysis on VoIP System. [16] Tiago Ferreira Exploiting VoIP Network CON Security [17] [18] [19] [20] [21]









[29] [30]

Conference 2008 Mark Collier Basic Vulnerability Issues for SIP Security 01 March 2005. Prtrik Park VoIP Threats Texonomy CISCO Press,24 Sept 2008. Amarandei Stavila Mihai Voice Over IP Security : A Layred Approach Year 2006 ICMP Attack [online] Narendra Shekokar, Satish Devane A Novel Approach to Avoide Billing Threats WSAT,Penang Malaysia, 24-26 Feb 2010. VOIPSA : VoIP Security and Privacy Threat Texonomy ,[online] ,24 Oct. 2005 Jason Anderson, An Analysis of Fragmentation Attacks[online], March 15, 2001 White Paper A Enterprise VoIP Security Best Practices [online] 200179.pdf April 2006 Mohamed Nassar, Saverio Niccolini, Radu State, Thilo Ewald Holistic VoIP Intrusion Detection and Prevention System, IPTCOMM 07. Jianqiang Xin Security Issues and countermeasure for VoIP" [online] ty-issues-countermeasure-voip_1701 ,SANS 2007. Chuck SemeriaInternet Firewalls and Security [online] 0619. White paper by CISCO SYSTEM Theft of Information: A Multilayered Prevention Strategy [online] /Ciscoinfotheft.pdf. Narendra Shekokar, Satish Devane Anomaly Detection in VoIP System Using Neural Network and Fuzzy Logic CIIT -2011. KDD cup 99 Intrusion detection data set.[online] < NIST Publication Security Consideration for VoIP System NIST Gaithersburg, MD 20899-8930 ,Year 2005.

[33] Narendra M.Shekokar, Satish Devane Secured SIP using trusted third party ICMLC -2011 ,Singapore, Feb 26-28 ,2011 [34] Andreas C. Schmidt Securing VoIP Networks using graded Protection Levels LNI , Gesellschaft fr Informatik, Bonn ,2010 [35] Gaston Ormazabal1, Sarvesh Nagpal2, Eilon Yardeni2, and Henning Schulzrinne2 Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems, PTComm 2008, LNCS 5310, pp. 107132, 2008. [36] VoIP Security Threats to VoIP Integrity [online] [37] Patrick Park Voice Over IP Security Published by:Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA [38] Narendra Shekokar, Satish Devane A Novel Approach to Avoide Billing Attack on VoIP System Wsat , pages 982-986, Febuary 2010. Narendra M.Shekokar is working as a Asst. Professor at D.J.Sanghvi College of Engineering . He is pursuing Ph.D (Engg.) from NMIMS University. He has pursued Master Degree from Walchand College of Engineering in Computer Engineering. He is having 15 year teaching and 1 year Industries experience. His area of interest and research is System Security, Computer Networking. He has published 10 paper in International journals, International Conference, National Conferences. Dr.Satish R. Devane working as a principal of RAIT, Navi Mumbai . He has pursued Ph.D from IIT, Bomby in Information Technology in year 2006 and Master in Electronics from Dr. B.A. M University, Aurangabad, India, Ist Class in Year 1994. He is having 25 years of teaching experience at Post graduate / Undergraduate level. He has published 35 Research paper in international Journals and Conferences . His area of research Network Security , Smart Card Security, Computer Networking.

International Journal Publishers Group (IJPG)